Blue-CloudPEASS - Cloud IAM Security Auditor

AWS

Azure

GCP

ℹ️ AWS Blue-CloudPEASS

Audit AWS accounts for risky permissions, unused principals, and external trust relationships. This tool highlights security misconfigurations and provides actionable remediation guidance.

📖 View Blue-CloudPEASS documentation on GitHub

Minimum permissions & setup (AWS)

To avoid giving static credentials:

Create one or more roles with the required permissions below, add a trust policy that allows the Lambda role arn:aws:iam::202533532952:role/hacktricks-blue-cloudpeass-lambda-role to assume them, and then submit those role ARNs in the form.
The Lambda role must be trusted by the target role(s). This way this role will be used to access the roles and check every AWS account.
No static credentials are needed if the trust is configured correctly.

Minimum permissions required (includes Access Analyzer):

sts:GetCallerIdentity
iam:ListUsers, iam:ListGroups, iam:ListRoles, iam:GetGroup, iam:ListGroupsForUser
iam:ListAttachedUserPolicies, iam:ListAttachedGroupPolicies, iam:ListAttachedRolePolicies
iam:ListUserPolicies, iam:ListGroupPolicies, iam:ListRolePolicies
iam:GetUserPolicy, iam:GetGroupPolicy, iam:GetRolePolicy
iam:ListPolicies, iam:GetPolicy, iam:GetPolicyVersion
iam:ListAccessKeys, iam:GetAccessKeyLastUsed
access-analyzer:List*, access-analyzer:Get*, access-analyzer:CreateAnalyzer, access-analyzer:DeleteAnalyzer
iam:CreateServiceLinkedRole (for Access Analyzer)

Example (create IAM user + inline policy + access key):

USER_NAME="blue-cloudpeass-auditor"

aws iam create-user --user-name "${USER_NAME}"

cat > /tmp/blue-aws-min.json <<'JSON'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BlueAwsPeassRead",
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity",
        "iam:ListUsers",
        "iam:ListGroups",
        "iam:ListRoles",
        "iam:GetGroup",
        "iam:ListGroupsForUser",
        "iam:ListAttachedUserPolicies",
        "iam:ListAttachedGroupPolicies",
        "iam:ListAttachedRolePolicies",
        "iam:ListUserPolicies",
        "iam:ListGroupPolicies",
        "iam:ListRolePolicies",
        "iam:GetUserPolicy",
        "iam:GetGroupPolicy",
        "iam:GetRolePolicy",
        "iam:ListPolicies",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListAccessKeys",
        "iam:GetAccessKeyLastUsed",
        "access-analyzer:List*",
        "access-analyzer:Get*",
        "access-analyzer:CreateAnalyzer",
        "access-analyzer:DeleteAnalyzer",
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": "*"
    }
  ]
}
JSON

aws iam put-user-policy --user-name "${USER_NAME}" --policy-name "BlueAwsPeassMin" --policy-document file:///tmp/blue-aws-min.json
aws iam create-access-key --user-name "${USER_NAME}"

If you do not want Access Analyzer, remove the access-analyzer:* permissions and iam:CreateServiceLinkedRole from the policy.

AWS Access Key ID Your AWS access key ID for authentication

AWS Secret Access Key Your AWS secret access key

AWS Session Token (Optional) For temporary credentials

Assume Roles (Optional) Role ARNs to assume (comma or newline separated, max 10, must be valid AWS ARNs)

Lambda Role Option Use the Blue-CloudPEASS Lambda role (skip access keys)

Target roles must trust this Lambda role ARN: arn:aws:iam::202533532952:role/hacktricks-blue-cloudpeass-lambda-role

Risk Levels to Flag Which risk levels to include in the report

Minimum Unused Days Days a resource must be unused to be flagged (default: 90)

Options Disable AWS Access Analyzer (won't report unused resources/permissions) Only consider permissions with Resource: * (filter resource-scoped) Verbose mode (show detailed permission explanations)

I confirm that I have authorization to perform security testing on the provided cloud account and have read and agree to the Terms of Service. I understand that unauthorized testing may be illegal and I am solely responsible for ensuring proper authorization.

ℹ️ Azure Blue-CloudPEASS

Audit Azure subscriptions and Entra ID for risky permissions, inactive principals, guest users, and federated credential risks. Provides comprehensive security posture analysis.

📖 View Blue-CloudPEASS documentation on GitHub

Minimum permissions & setup (Azure)

Assign these RBAC roles at the management-group scope (so all subscriptions inherit):

Reader
Monitoring Reader (Activity Logs)
Management Group Reader

Grant Microsoft Graph app roles for principal resolution and guest scanning:

Directory.Read.All
User.Read.All
AuditLog.Read.All
Group.Read.All or GroupMember.Read.All

Example (create SP + assign roles):

APP_NAME="blue-cloudpeass-auditor"
MG_ID="your-management-group-id"
SCOPE="/providers/Microsoft.Management/managementGroups/${MG_ID}"

az ad sp create-for-rbac --name "${APP_NAME}" --skip-assignment --sdk-auth > /tmp/blue-azure-sp.json
APP_ID=$(az ad sp list --display-name "${APP_NAME}" --query "[0].appId" -o tsv)

az role assignment create --assignee "${APP_ID}" --role "Reader" --scope "${SCOPE}"
az role assignment create --assignee "${APP_ID}" --role "Monitoring Reader" --scope "${SCOPE}"
az role assignment create --assignee "${APP_ID}" --role "Management Group Reader" --scope "${SCOPE}"

GRAPH_APP_ID="00000003-0000-0000-c000-000000000000"
az ad app permission add --id "${APP_ID}" --api "${GRAPH_APP_ID}" --api-permissions \
  7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role \
  df021288-bdef-4463-88db-98f22de89214=Role \
  b0afded3-3588-46d8-8b3d-9842eff778da=Role \
  5b567255-7703-4780-807c-7be8301ae99b=Role \
  98830695-27a2-44f7-8c18-0c3ebc9698f6=Role
az ad app permission admin-consent --id "${APP_ID}"

If you disable Graph resolution, add --no-resolve-principals and --no-scan-entra when running the tool.

ARM Token (Optional) If provided, Blue-CloudPEASS will use this ARM access token instead of client credentials

Graph Token (Optional) Optional Microsoft Graph token (improves principal resolution). Requires ARM token.

Tenant ID / Domain Required for service principal auth (e.g., 00000000-0000-0000-0000-000000000000 or contoso.onmicrosoft.com)

Client ID Service principal (app) client ID

Client Secret Service principal client secret

Subscription IDs (Optional) Specific subscription IDs to analyze (can be specified multiple times, comma-separated)

Scope Options Analyze all accessible subscriptions

Risk Levels to Flag Which risk levels to include in the report

Minimum Unused Days Days without Activity Log events to consider inactive (default: 90)

Analysis Options Skip Activity Log scan (disables inactive/last-used heuristics) Disable Entra ID guest user scan Disable Managed Identity federated-credential scan Disable management group scan

ℹ️ GCP Blue-CloudPEASS

Audit GCP projects and organizations for risky permissions, inactive service accounts, public access, and external bindings. Identifies security risks across your GCP environment.

📖 View Blue-CloudPEASS documentation on GitHub

Minimum permissions & setup (GCP)

Grant these permissions at the org scope (recommended) or project scope:

resourcemanager.projects.get, resourcemanager.projects.list, resourcemanager.projects.getIamPolicy
resourcemanager.organizations.get, resourcemanager.organizations.getIamPolicy
resourcemanager.folders.getIamPolicy
iam.roles.get, iam.roles.list, iam.serviceAccountKeys.list
cloudasset.assets.searchAllIamPolicies
logging.logEntries.list
recommender.locations.list, recommender.iamPolicyRecommendations.list, recommender.iamPolicyChangeRiskRecommendations.list, recommender.iamServiceAccountChangeRiskRecommendations.list
serviceusage.services.use (and serviceusage.services.get/serviceusage.services.enable if you want auto-enable)

Example (org-level custom role + SA):

gcloud iam service-accounts create blue-cloudpeass-auditor --display-name="Blue CloudPEASS Auditor"
gcloud iam roles create blueCloudpeassAuditor --organization ORG_ID --title="Blue CloudPEASS Auditor" --permissions="resourcemanager.projects.get,resourcemanager.projects.list,resourcemanager.projects.getIamPolicy,resourcemanager.organizations.get,resourcemanager.organizations.getIamPolicy,resourcemanager.folders.getIamPolicy,iam.roles.get,iam.roles.list,iam.serviceAccountKeys.list,cloudasset.assets.searchAllIamPolicies,logging.logEntries.list,recommender.locations.list,recommender.iamPolicyRecommendations.list,recommender.iamPolicyChangeRiskRecommendations.list,recommender.iamServiceAccountChangeRiskRecommendations.list,serviceusage.services.use"
gcloud organizations add-iam-policy-binding ORG_ID --member="serviceAccount:blue-cloudpeass-auditor@PROJECT_ID.iam.gserviceaccount.com" --role="organizations/ORG_ID/roles/blueCloudpeassAuditor"
gcloud iam service-accounts keys create ./blue-cloudpeass-key.json --iam-account="blue-cloudpeass-auditor@PROJECT_ID.iam.gserviceaccount.com"

Service Account Key (JSON) Service account JSON key file content (required)

Quota Project (Optional) Billing project for API usage (defaults to service account project_id)

Project IDs (Optional) Specific GCP project IDs to analyze (comma-separated)

Organization ID (Optional) Organization ID to analyze (e.g., 1234567890)

Scope Options Enumerate and analyze all accessible projects Requires org-level permissions; if no projects are returned, use Organization ID instead.

Risk Levels to Flag Which risk levels to include in the report

Minimum Unused Days Days without audit-log activity to consider inactive (default: 90)

Analysis Options Skip resource IAM scan Skip workload identity scan Skip external domain scan Skip external trust scan

📊 Audit Results

Running Blue-CloudPEASS audit... This may take several minutes.

🛡️ Blue-CloudPEASS - Cloud IAM Security Auditor

🔒 Login required

ℹ️ AWS Blue-CloudPEASS

ℹ️ Azure Blue-CloudPEASS

ℹ️ GCP Blue-CloudPEASS

📊 Audit Results